zgaetano/mcp-servers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
MCP Server implementations and gateway infrastructure
281 commits 1 branch 0 tags 617 KiB
Python 54.4%
TypeScript 38%
HTML 2.5%
JavaScript 2.5%
Shell 1.7%
Other 0.9%
Find a file
zgaetano a1a6ef137a security: require auth on all admin/dashboard/user routes 
/admin, /dashboard, /dashboard/status, and all /users/* and /keys/*
endpoints were publicly accessible with no authentication, exposing
user management, API key generation, and backend topology to anyone.

- /dashboard and /dashboard/status now require Bearer token
- /admin (user management UI) now requires Bearer token
- All /users/* and /keys/revoke routes now require Bearer token
- /health scrubbed of sensitive fields (token counts, client counts)
- /linkedin/* left public (required for OAuth callback flow)

Auth checks use GATEWAY_STATIC_API_KEY or valid OAuth access tokens,
consistent with the existing /mcp and /status endpoints.
2026-03-31 23:32:15 -04:00
dashboard Add dashboard/Dashboard.jsx 2026-03-31 15:33:28 -04:00
erpnext-mcp Add erpnext-mcp/src/tools/stock.ts 2026-03-31 15:33:33 -04:00
forgejo-mcp fix(forgejo-mcp): convert sync httpx.Client to async AsyncClient 2026-03-31 23:17:52 -04:00
gateway-proxy security: require auth on all admin/dashboard/user routes 2026-03-31 23:32:15 -04:00
homeassistant-mcp Add homeassistant-mcp/requirements.txt 2026-03-31 15:33:42 -04:00
linkedin-mcp Add linkedin-mcp/SETUP.md 2026-03-31 15:33:44 -04:00
memory-bank-mcp Add Memory Bank, Puppeteer, Sequential Thinking, and Docker MCP servers 2026-03-31 23:02:47 -04:00
puppeteer-mcp Add Memory Bank, Puppeteer, Sequential Thinking, and Docker MCP servers 2026-03-31 23:02:47 -04:00
scripts Add scripts/wave-token-refresh.sh 2026-03-31 15:33:44 -04:00
sequential-thinking-mcp Add Memory Bank, Puppeteer, Sequential Thinking, and Docker MCP servers 2026-03-31 23:02:47 -04:00
ssh-mcp Replace docker-mcp with ssh-mcp 2026-03-31 23:25:10 -04:00
truenas-mcp Add truenas-mcp/truenas_mcp.py 2026-03-31 15:33:45 -04:00
wave-mcp Add wave-mcp/src/tools/products.ts 2026-03-31 15:33:51 -04:00
.env Add .env 2026-03-31 15:33:21 -04:00
.gitignore Add .gitignore 2026-03-31 15:33:21 -04:00
API_CREDENTIALS_SETUP.md Add API_CREDENTIALS_SETUP.md 2026-03-31 15:33:21 -04:00
ARCHITECTURE.md Add ARCHITECTURE.md 2026-03-31 15:33:22 -04:00
DASHBOARD_SETUP.md Add DASHBOARD_SETUP.md 2026-03-31 15:33:22 -04:00
DEPLOYMENT_CHECKLIST.md Add DEPLOYMENT_CHECKLIST.md 2026-03-31 15:33:22 -04:00
docker-compose.yml Replace docker-mcp with ssh-mcp 2026-03-31 23:25:10 -04:00
FORGEJO_IMPLEMENTATION_SUMMARY.md Add FORGEJO_IMPLEMENTATION_SUMMARY.md 2026-03-31 15:33:23 -04:00
FORGEJO_SETUP.md Add FORGEJO_SETUP.md 2026-03-31 15:33:23 -04:00
LINKEDIN_QUICK_START.md Add LINKEDIN_QUICK_START.md 2026-03-31 15:33:23 -04:00
LINKEDIN_TOKEN_GENERATION.md Add LINKEDIN_TOKEN_GENERATION.md 2026-03-31 15:33:23 -04:00
MCP_STACK_UPDATE.md Add MCP_STACK_UPDATE.md 2026-03-31 15:33:24 -04:00
openai_adapter.py Add openai_adapter.py 2026-03-31 15:33:24 -04:00
OPENAI_INTEGRATION.md Add OPENAI_INTEGRATION.md 2026-03-31 15:33:24 -04:00
OPENUI_OAUTH_FIX.md Add OPENUI_OAUTH_FIX.md 2026-03-31 15:33:24 -04:00
OPENUI_OAUTH_QUICK_FIX.txt Add OPENUI_OAUTH_QUICK_FIX.txt 2026-03-31 15:33:25 -04:00
OPENUI_SCHEMA_FIX.md Add OPENUI_SCHEMA_FIX.md 2026-03-31 15:33:25 -04:00
QUICK_OPENUI_FIX.txt Add QUICK_OPENUI_FIX.txt 2026-03-31 15:33:25 -04:00
README.md Add README.md 2026-03-31 15:33:26 -04:00
README_OPENAI.md Add README_OPENAI.md 2026-03-31 15:33:26 -04:00
RFP_SCRAPER_SETUP.md Add RFP_SCRAPER_SETUP.md 2026-03-31 15:33:27 -04:00
SETUP_OPEN_UI.md Add SETUP_OPEN_UI.md 2026-03-31 15:33:27 -04:00
USER_MANAGEMENT_SETUP.md Add USER_MANAGEMENT_SETUP.md 2026-03-31 15:33:27 -04:00

README.md

MCP Gateway Stack

Aggregates multiple MCP backend servers behind a single Streamable HTTP endpoint with OAuth 2.1 authentication, exposed via Tailscale Funnel.

Architecture

claude.ai / Claude Mobile / Claude Code
        │
        │  OAuth 2.1 (PKCE + DCR)
        ▼
┌─────────────────────────────┐
│  MCP Gateway Proxy (:4444)  │  ← mcp.wilddragon.net via Tailscale Funnel
│  OAuth Provider + Aggregator│
└────┬──────────┬─────────┬───┘
     │          │         │
     ▼          ▼         ▼
  ERPNext    TrueNAS    Home
  MCP        MCP        Assistant
  (:32802)   (:8100)    MCP (:8200)

OAuth 2.1 Flow

When claude.ai connects to https://mcp.wilddragon.net/mcp:

  1. Gateway returns 401 with WWW-Authenticate header pointing to resource metadata
  2. Claude discovers /.well-known/oauth-protected-resource → finds authorization server
  3. Claude discovers /.well-known/oauth-authorization-server → finds all OAuth endpoints
  4. Claude calls /oauth/register (Dynamic Client Registration) to get a client_id
  5. Claude opens /oauth/authorize in browser → you see a consent page → enter your password
  6. Gateway issues an authorization code, redirects to Claude's callback
  7. Claude exchanges the code at /oauth/token (with PKCE verification) → gets access + refresh tokens
  8. Claude sends MCP requests to /mcp with Authorization: Bearer <token>
  9. Tokens auto-refresh via the refresh token grant

Setup

  1. Copy .env.example to .env and fill in your values
  2. Set a strong OAUTH_PASSWORD — this is what you type in the consent page
  3. Set OAUTH_ISSUER_URL to your public gateway URL (e.g., https://mcp.wilddragon.net)
  4. Build and start: docker compose up -d --build
  5. In claude.ai → Settings → Connectors → Add → paste https://mcp.wilddragon.net/mcp
  6. Complete the OAuth flow when prompted (enter your gateway password)

Environment Variables

Variable Required Default Description
OAUTH_ISSUER_URL Yes https://mcp.wilddragon.net Public URL of the gateway
OAUTH_PASSWORD Yes Password for the consent page
OAUTH_ACCESS_TOKEN_TTL No 3600 Access token lifetime (seconds)
OAUTH_REFRESH_TOKEN_TTL No 2592000 Refresh token lifetime (seconds)
ERPNEXT_URL Yes ERPNext instance URL
ERPNEXT_API_KEY Yes ERPNext API key
ERPNEXT_API_SECRET Yes ERPNext API secret
TRUENAS_URL Yes TrueNAS API URL
TRUENAS_API_KEY Yes TrueNAS API key
HASS_URL Yes Home Assistant URL
HASS_TOKEN Yes Home Assistant long-lived token

Endpoints

Endpoint Auth Purpose
GET /health None Health check
GET /status Bearer Detailed backend status
GET /.well-known/oauth-protected-resource None RFC 9728 resource metadata
GET /.well-known/oauth-authorization-server None RFC 8414 server metadata
POST /oauth/register None RFC 7591 dynamic client registration
GET /oauth/authorize None Authorization page (consent form)
POST /oauth/token None Token exchange / refresh
POST /mcp Bearer MCP JSON-RPC endpoint

Testing

# Health check
curl https://mcp.wilddragon.net/health

# Check OAuth metadata
curl https://mcp.wilddragon.net/.well-known/oauth-authorization-server

# Check resource metadata
curl https://mcp.wilddragon.net/.well-known/oauth-protected-resource

# Verify 401 on unauthenticated MCP request
curl -X POST https://mcp.wilddragon.net/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"initialize","params":{},"id":1}'

Adding New Backends

Add a new MCP_BACKEND_<NAME> env var to the gateway service in docker-compose.yml and rebuild. Tools will be auto-discovered and prefixed with the backend name.